Post

New SCADA Vulnerability Enables Remote Control of ICS Networks

As part of our ongoing R&D efforts we occasionally discover vulnerabilities in industrial controllers (PLCs, RTUs, DCS etc.) and software tools. Recently, Indegy Labs team discovered a vulnerability in Unity Pro, Schneider Electric’s flagship software application for managing and programming industrial controllers. Before we get into the specifics, it’s important to point out that unlike in IT networks, a vulnerability is not necessarily required to compromise controllers in an ICS network. That’s because:

Industrial controllers lack authentication

Industrial communication protocols lack encryption

Surprising as it might sound, anyone who has access to the control network, also has unfettered access to all of its industrial controllers. This means that anyone who can ping a controller, can probably send a it stop command or reprogram the device to cause operational disruptions.

Nonetheless, some vulnerabilities can pose exceptional risk to ICS networks.

The vulnerability in Unity Pro allows any user to remotely execute code directly on any computer on which this product is installed, in debug privileges. The vulnerable software tool is present in every control network in the world that uses Schneider-Electric controllers. Regardless of the SCADA/DCS applications in use, if Schneider Electric controllers are deployed, this software will be used on the engineering workstations. This makes this attack relevant across virtually any process controlled by these PLCs. Since Schneider Electric is one of the largest industrial control equipment providers, this vulnerability is a major concern.

As a result of Indegy’s responsible disclosure, Schneider Electric has published an important secuirty notification and developed a new release of its product which fixes this vulnerability.

Further Details

The Unity Pro software platform runs on Microsoft Windows machines. The vulnerability found affects all versions of this software, including the latest one. It resides in one of its components named ‘Unity Pro PLC Simulator’, that is used to test industrial controllers’ code prior to executing it on the controllers themselves. The control code projects are compiled as x86 instructions and loaded onto the PLC Simulator using a proprietary format named ‘apx’.

Since these x86 instructions are later executed ‘as is’ by the simulator, an attacker can direct their control flow to execute arbitrary malicious code. As bothersome as this might sound (being a somewhat ‘classical’ data/code mixture), the knock-out is that receiving .apx files from a remote location to execute them on the simulator is natively supported by the Unity Pro software platform!

Schematic Industrial control network architecture

To implement the attack, no patching of the simulator process at any stage is needed, only the .apx file is being patched.

To build such an .apx file, the attacker needs to create a large project file with enough random binary PLC code, and then replace it with the combination of bridgehead shellcode and malicious payload. To preserve the integrity of the file, the attacker then needs to overcome several checksum calculations. Finally, the specially crafted project file is downloaded to the simulator remotely over a TCP port, which is open by default. There are few available implementations allowing one to download an .apx file to a simulator or a controller without wrapping it with the file format used by Unity Pro (though this path could be taken as well, which will result in a weaker attack). The latter is done by imitating Unity Pro’s communication protocol with the controllers.

Our Recommendations

The vulnerability in the simulator component of Unity Pro enables attackers to natively access industrial controllers and use a manipulated .apx file to execute malicious code. Since the delivery of the .apx file is an engineering control-plane activity, executed over a proprietary protocol, it is difficult to identify and detect.

The use of proprietary protocols for control-plane activities is a common yet misunderstood practice in ICS networks. Unlike IT networks where data-plane and control-plane activities are executed over the same communication protocols, in ICS networks different protocols are used for these activities.

Widely known protocols like MODBUS, PROFINET and DNP3, are all data-plane protocols. However, this is not where dangerous manipulations to ICS/SCADA networks and industrial controllers take place. The control-plane activities, which include all engineering and management activities performed on controllers (PLCs, RTUs) are executed over proprietary, vendor specific protocols which are unnamed, undocumented, and unmonitored.

To identify such attacks and ensure the integrity of critical control devices, the proprietary control-plane protocols of ICS networks must be monitored.

Thank Marc for the Post!

Energy Central contributors share their experience and insights for the benefit of other Members (like you). Please show them your appreciation by leaving a comment, 'liking' this post, or following this Member.

Discussions

More Posts

How viable is blockchain technology? The federal Department of Energy (DoE) intends to find out. The DoE is putting a $200,000 grant into a trial of the technology to see if it can help protect the national power grid. The project aims to..

In the emerging age of the industrial Internet of Things and DERs, threat landscapes of information technology (IT) and operational technology (OT) have become intertwined, with data at the core.

Get Published - Build a Following

The Energy Central Power Industry Network is based on one core idea - power industry professionals helping each other and advancing the industry by sharing and learning from each other.

If you have an experience or insight to share or have learned something from a conference or seminar, your peers and colleagues on Energy Central want to hear about it. It's also easy to share a link to an article you've liked or an industry resource that you think would be helpful.